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DETAILED ACTION 
Response to Amendments 

1 . This action is in reply to the response filed on December 1 5, 2008. 

2. Acknowledgement is made that the applicant has added new claims 13 and 14. 

3. Claims 1 and 3-14 are currently pending and have been examined. 

Information Disclosure Statement 

4. The Information Disclosure Statements filed on October 24, 2008 and January 7, 2009 has been 
considered. An initialed copy of the Form 1449 is enclosed herewith. 

Double Patenting 

5. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in 
public policy (a policy reflected in the statute) so as to prevent the unjustified or improper 
timewise extension of the "right to exclude" granted by a patent and to prevent possible 
harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection 
is appropriate where the conflicting claims are not identical, but at least one examined application 
claim is not patentably distinct from the reference claim(s) because the examined application 
claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., 
In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 
USPQ2d 2010 (Fed. Cir. 1993); In re Long!, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re 
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Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 
619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 

6. A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to 
overcome an actual or provisional rejection based on a nonstatutory double patenting ground 
provided the conflicting application or patent either is shown to be commonly owned with this 
application, or claims an invention made as a result of activities undertaken within the scope of a 
joint research agreement. 

7. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. 
A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). 

8. Claims 1 and 5 are provisionally rejected on the ground of nonstatutory obviousness-type double 
patenting as being unpatentable over claim 1 of copending Application No. 10/946146. Although 
the conflicting claims are not identical, they are not patentably distinct from each other because 
both '146 and '364 disclose a storage component configured to store a set of business processes 
describing the operations of an enterprise, each business process including one or more 
business functions, each business function being assigned to one or more employees in a set of 
employees; a compatibility registry including a set of business function incompatibilities, each 
business function incompatibility identifying business functions that should not be assigned to an 
employee; and a processing component communicating with the storage component. While the 
compatibility register in '146 further discloses associating a risk with each business function 
incompatibility, it would have been obvious to one ordinary skilled in the art to identify the risk(s) 
associated with the business function incompatibility. The last limitation of Claim 1 ('364) 
discloses "creating a report" and the last limitation of claim 1, application '146 discloses "creating 
an alert", "...the processing component is configured to identify at least one employee being 
simultaneously assigned to business functions that are identified as incompatible as per the 
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business function incompatibility via a report ('364) or an alert ('146)..." Hence, the function of 
the processing component while not identical, are not patentably distinct from one another. This 
is a provisional obviousness-type double patenting rejection because the conflicting claims have 
not in fact been patented. Dependent claim 5 of '364 is provisionally rejected on the ground of 
nonstatutory obviousness-type double patenting as being unpatentable over dependent claim 13, 
of copending application '146. Claim 5 ('364) and claim 13 ('146) disclose "...an audit system 
with a storage component configured to store a business process library having a plurality of 
business processes..." While claim 13 ('146) further discloses "describing the operations of the 
enterprise" it is inherited that the business processes describe the operations of an enterprise. 
While the two claims are not identical, they are not patentably distinct from one another. 

Claim Rejections - 35 USC § 103 

9. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

10. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), 
that are applied for establishing a background for determining obviousness under 35 
U.S.C. 103(a) are summarized as follows: 

a. Determining the scope and contents of the prior art. 
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b. Ascertaining the differences between the prior art and the claims at issue. 

c. Resolving the level of ordinary skill in the pertinent art. 

d. Considering objective evidence present in the application indicating obviousness or 
nonobviousness. 

11. Claims 1, 3, and 5-13 are rejected as being unpatentable over Blocher et al., US Patent 
Application No US 2002/0194059 A1, in view of The Internal Auditor, Segregation of duties in 
ERP, October 2003., Vol. 60, Iss. 5, pg. 27, Susan S. Lightle, Cynthia Waller Valrio; herein 
referred to as "Lightle". 

12. With respect to Claim 1 , 

Blocher as shown discloses the following limitations: 

• a storage component configured to store: (see at least Figure 1, paragraph 47: "...The 
computer system 10 generally comprises memory 12, input/output interfaces 14, a central 
processing unit (CPU) 16, external devices/resources 18, bus 20, and database 32. Memory 
12 may comprise any known type of data storage and/or transmission media, including 
magnetic media, optical media, random access memory (RAM), read-only memory (ROM), a 
data cache, a data object, etc. Moreover, memory 12 may reside at a single physical location, 
comprising one or more types of data storage, or be distributed across a plurality of physical 
systems in various forms...") 

• a sef of business processes describing the operations of an enterprise; each business 
process including one or more business functions, (see at least paragraph 36: ..." Business 
Process-a set of steps followed to perform a business function...."; paragraph 55: "...Once 
the process is provided, any risks therein should be identified. Each identified risk represents 
a control point that should be addressed..."; paragraph 56: "...The set of tests and set of 
actions comprise control point information. Along with other pertinent information, this 
information is arranged in a template 26 and stored in database 32...") 
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• at least one processing component in communication with the storage component, (see at 
least Figure 1, paragraph 47: "...The computer system 10 generally comprises memory 12, 
input/output interfaces 14, a central processing unit (CPU) 16, external devices/resources 18, 
bus 20, and database 32. Memory 12 may comprise any known type of data storage and/or 
transmission media, including magnetic media, optical media, random access memory 
(RAM), read-only memory (ROM), a data cache, a data object, etc. Moreover, memory 12 
may reside at a single physical location, comprising one or more types of data storage, or be 
distributed across a plurality of physical systems in various forms. CPU 16 may likewise 
comprise a single processing unit, or be distributed across one or more processing units in 
one or more locations, e.g., on a client and server..." ; paragraph 49: "...Database 32 
provides storage for arranged templates 26. Information arranged in a template could include, 
inter alia: (1) a business process; (2) a set of tests designed to identify risks in the business 
process; and (3) a set of actions designed to address the identified risks. In addition, once 
stored in database 32, reviewers and/or auditors 34 could access templates 26..."; paragraph 
52: "...Computer program, software program, program, or software, in the present context 
mean any expression, in any language, code or notation, of a set of instructions intended to 
cause a system having an information processing capability to perform a particular function 
either directly or after either or both of the following: (a) conversion to another language, code 
or notation; and/or (b) reproduction in a different material form...") 

Blocher discloses all of the limitations described above. Blocher does not disclose the following 
limitation, but "Lightle" however, as shown discloses: 

• each business function being assigned to one or more employees in a set of employees (see 
at least page 3, paragraph 15: "...an ERP based system electronically segregates duties by 
assigning user authorizations according to the types of transactions each user can 
perform..."; page 1, paragraph 2: "...SOD controls are designed to ensure that no single 
individual inappropriately handles all aspects of a transaction or business process..." 
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paragraph 5: "...the auditors also helped develop the user authorization request and approval 
process by talking directly with business process owners to review individual job 
responsibilities and investigate the rationale behind any dual assignments..."; 

• a compatibility registry including a set of business function incompatibilities, (see at least 
paragraph 7: "...the consultants provided their own proprietary SOD analysis tool..."; 
paragraph 8: "...the tool contained a matrix showing tasks that should not be combined..."; 
paragraph 9: "...the tool enabled them to test user authorizations against SOD conflicts at the 
basic level of specific transaction assignments...") 

• each business function incompatibility identifying at least two business functions that should 
not be simultaneously assigned to a single employee (see at least page 2, paragraph 7: 
"...the consultants provided their own proprietary SOD analysis internal audit tool..."; 
paragraph 8: "... the tool contained a matrix showing tasks that should not be combined, 
based on traditional SOD concepts and client experiences.... customized the software's 
matrix, adding some conflicts and deleting others based on Mead's control philosophy and 
business process design...") 

• the at least one processing component being configured to compare at least one business 
function incompatibility in the compatibility registry with the business functions assigned to 
each employee in the set of employees; (see at least page 2, paragraph 8: "...the tool 
contained a matrix showing tasks that should not be combined..."; paragraph 9: "...the tool 
enabled them to test user authorizations against SOD conflicts at the basic level of specific 
transaction assignments and to generate a report that listed potential conflicts by user 
group..."; paragraph 10: "...once the software generated it's report, the next step was to 
analyze and confirm whether any of the identified conflicts were, in fact a concern... the 
internal audit team reviewed the list and assessed each item..."; page 3, paragraph 15: 
"...these built-in SOD controls prevent any individual user from being assigned to conflicting 
transactions... the electronic system segregates authorization to initiate a transaction...") 
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• create a report identifying at least one employee in the set of employees that is 
simultaneously assigned to business functions that are identified as incompatible as per the 
at least one business function incompatibility, (see at least page 2, paragraph 9: "...using the 
new software, they were able to generate automated SOD reports.... that listed potential 
conflicts by user group...") 

It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher with the SOD analysis tool of Lightle because the SOD tool is a cost-effective 
technology that internal auditors could use for identifying conflicting assignments with minimal 
assistance while not slowing down system operations throughout the organization. 

13. With respect to Claim 3, 

Blocher, and Lightle disclose all of the limitations described above, Lightle further discloses, 

• the report further includes an identification of the at least one business function 
incompatibility (see at least page 2, paragraph 9: "...using the new software, they were able 
to generate automated SOD reports.... that listed potential conflicts by user group..."; 
paragraph 10: "...once the software generated its report, the next step was to analyze and 
confirm whether any of the identified conflicts were, in fact a concern...") 

It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher with the SOD analysis tool of Lightle because the automated SOD reports are 
an efficient means for identifying and reporting conflicting assignments expeditiously. 

14. With respect to Claim 5, 

Blocher, and Lightle disclose all of the limitations described above, Blocher further discloses, 

• wherein the storage component is further configured to store a business process library 
having a plurality of business processes, wherein the set of business processes is a subset of 
the plurality of business processes of the business process library (see at least Figures 1-7, 
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paragraph 49: "...Stored in memory 12 is review system 22 (shown in FIG. 1 as a software 
product). Review system 22... generally comprises an interface 24 for inputting business 
process and/or control point information, and templates 26 for arranging the inputted 
information in a standard format. Database 32 provides storage for arranged templates 26. 
Information arranged in a template could include, inter alia: (1) a business process; (2) a set 
of tests designed to identify risks in the business process; and (3) a set of actions designed to 
address the identified risks. In addition, once stored in database 32, reviewers and/or 
auditors 34 could access templates 26. Database 32 may comprise one or more storage 
devices, such as a magnetic disk drive or an optical disk drive...."; paragraph 50: 
"...Templates 26 are forms that allow all pertinent business process and/or control point 
information to be arranged in a standard format and stored so that reviewers 28 and/or 
auditors 34 can efficiently and accurately access the same..."; paragraph 59: "...each time a 
new business process is created or an existing business process is modified, a new review is 
conducted and information is arranged in a template. It should be appreciated that the 
template shown in FIGS. 2-7 is preferably completed as an electronic document on the 
computer system via the interface. However, it should be understood that template could be 
completed as a hardcopy and scanned into the computer system via external devices for 
storage in the database...") 

15. With respect to Claim 6, 

Blocher and Lightle disclose all of the limitations described above, Blocher further discloses, 
• the business process library includes a plurality of business function incompatibilities 
corresponding to at least a portion of the plurality of business processes, each business 
function incompatibility identifying at least two business functions that should not be 
simultaneously assigned to a single employee (see at least ...paragraph 63: "...FIG. 5 
depicts a fourth page 130 of the template that includes purpose section 132, and control point 
procedure section 134. Purpose section 132 allows the control point author to state the 
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identified risk or control point. For example, purpose field 132 might indicate, "individuals 
approving payments are signing checks." Control point procedure section 134 includes 
information access field 136 and control point process field 138. Information access field 136 
indicates where information pertinent to the control point can be obtained. For example, 
information access field 136 could indicate where the employee identification numbers could 
be found. Preferably, information access field 136 includes a hypertext link(s) that allows 
direct access to pertinent information. Control point process field 138 includes a test field 140 
for arranging the set of tests to be performed on the business process for identifying risks. 
For example, test field 140 could indicate the tests: (1) compare identification number of 
individual approving payment to identification number of individual signing the check; and (2) 
compare name of individual approving payment to name of individual signing the check. As 
state above, the set of tests could include one or more tests. Accordingly, test field 140 
allows for many tests to be indicated. Test execution field 142 is for arranging the test entity 
responsible for carrying out the indicated set of tests. This could be indicated based on 
particular individuals, management levels, etc. As indicated above, the test entity can be one 
individual, a group of individuals, or an expert system. Moreover, one test entity need not be 
responsible for carrying out the entire set of tests. For example, each test in the set could 
have a different executing entity...") 

16. With respect to Claim 7, 

Blocher and Lightle disclose all of the above limitations, Lightle further discloses, 
• at least one processing component is further configured to receive a selection from an auditor 
of a business process from the business process library and, in response to the selection, 
add the business process to the set of business processes describing the operations of the 
enterprise and add at least one business function incompatibility to the process compatibility 
registry.(see at least page 2, paragraph 8: "...the internal audit staff, with the help of the 
consultant, customized the software's matrix, adding some conflicts and deleting others..."; 
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paragraph 11: "...the development of the matrix of SOD conflicts is an ongoing audit 
operation...."; paragraph 12: "...as tasks evolve and employees come and go, transaction 
codes may be added and deleted, and user profiles may be created or changed, potentially 
introducing new conflicts...") 
It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher with the SOD analysis software of Lightle because the SOD matrix is an 
efficient tool for ensuring that no single individual inappropriately handles all aspects of a 
transaction or business process and for identifying of any potential conflicts. 

17. With respect to Claims 8-11, 

Blocher and Lightle disclose all of the above limitations, Blocher further discloses, 

• an employee in the set of employees is assigned to a new business function wherein the at 
least one processing component is further configured to create an alert in response to the 
new business function matching at least one business function incompatibility^ see at least 
Figure 6: "...Exception field 152 includes an action field 154 for arranging the set of actions 
(i.e., one or more) to be taken to address an identified risk. For the example above, an 
exemplary action could be to "notify internal auditing." It should be appreciated, however, that 
since the review could be made before, during, or after a business process has actually 
occurred, addressing a risk could mean preventing or correcting a problem. Action execution 
field 156 allows an action entity to be designated for carrying out the set of actions. Similar to 
the above-described test execution field 142 of FIG. 5, the action entity could be an 
individual, group of individuals, or an expert system. Moreover, any quantity of action entities 
could be indicated...") 

• the alert is communicated to an auditor (see at least paragraph 4: "...a possible action to 
address this risk could be to inform corporate auditors..."; paragraph 8: "...In addition, the 
present invention provides a template and method for arranging information pertaining to 
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each control point. By using the method and template of the present invention, reviewers, 
auditors, or the like are provided with a complete resource for accurately and efficiently 
performing their duties..."; paragraph 55: "...Once a control point/risk is identified, a set of 
actions could be proposed and/or implemented to address the risk. A possible action for the 
above example could be to notify internal auditing...") 

• the alert includes an identification of the employee assigned to the new business function 

• the alert includes an identification of the at least one business function incompatibility 
matching the new business function (see at least paragraph 55: "...Once the process is 
provided, any risks therein should be identified. Each identified risk represents a control point 
that should be addressed. Preferably, a review is conducted each time a new business 
process is created, or an existing business process is modified. A possible risk with the 
invoice business process could be if the individual approving payment is also authorized to 
sign the check. To identify whether this risk has occurred (or will occur), a set of tests or 
checks is performed on the business process. The set of tests are performed by a test entity 
(i.e., an individual, group of individuals, or an expert system). An example of a test could be 
to compare the identification of the individual approving payment to the identification of the 
individual signing the check. For example, if employee number "123" of XZY, Inc. approved 
payment of invoice "456" and also signed the check, the risk exists and a control point is 
identified. Once a control point/risk is identified, a set of actions could be proposed and/or 
implemented to address the risk. A possible action for the above example could be to notify 
internal auditing...") 



18. With respect to Claim 12, 

Blocher and Lightle disclose all of the above limitations, Lightle further discloses: 
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• at least one processing component is further configured to prevent the assignment of another 
new business function to the employee in response to the new business function matching 
the at least one business function incompatibility, (see at at least page 3, paragraph 15: 
"...these built-in SOD controls prevent any individual user from being assigned to conflicting 
transactions...") 

19. With respect to Claim 13, 

Blocher discloses the following limitations, 

• a storage component configured to store: (see at least Figure 1, paragraph 47: "...The 
computer system 10 generally comprises memory 12, input/output interfaces 14, a central 
processing unit (CPU) 16, external devices/resources 18, bus 20, and database 32. Memory 
12 may comprise any known type of data storage and/or transmission media, including 
magnetic media, optical media, random access memory (RAM), read-only memory (ROM), a 
data cache, a data object, etc. Moreover, memory 12 may reside at a single physical location, 
comprising one or more types of data storage, or be distributed across a plurality of physical 
systems in various forms...") 

• a business process library comprising a plurality of business processes, each business 
process including one or more business functions, each business function being associated 
with a list of one or more other business functions that are incompatible with said each 
business function; (see at least Figures 1-7, paragraph 49: "...Stored in memory 12 is review 
system 22 (shown in FIG. 1 as a software product). Review system 22... generally comprises 
an interface 24 for inputting business process and/or control point information, and templates 
26 for arranging the inputted information in a standard format. Database 32 provides storage 
for arranged templates 26. Information arranged in a template could include, inter alia: (1) a 
business process; (2) a set of tests designed to identify risks in the business process; and (3) 
a set of actions designed to address the identified risks. In addition, once stored in database 
32, reviewers and/or auditors 34 could access templates 26. Database 32 may comprise one 
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or more storage devices, such as a magnetic disk drive or an optical disk drive...."; paragraph 
50: "...Templates 26 are forms that allow all pertinent business process and/or control point 
information to be arranged in a standard format and stored so that reviewers 28 and/or 
auditors 34 can efficiently and accurately access the same..."; paragraph 59: "...each time a 
new business process is created or an existing business process is modified, a new review is 
conducted and information is arranged in a template. It should be appreciated that the 
template shown in FIGS. 2-7 is preferably completed as an electronic document on the 
computer system via the interface. However, it should be understood that template could be 
completed as a hardcopy and scanned into the computer system via external devices for 
storage in the database..."; paragraph 54: "...the business process of paying an invoice could 
includes the following steps: (1) an invoice is received; (2) the invoice is forwarded to 
accounts payable; (3) payment is approved; (4) a check ordered; and (5) the check is signed 
and sent out. It should be understood, however, that this example is illustrative and not 
intended to be limiting. For example, the set of steps could include any quantity of steps. In 
addition, the business process is preferably provided in the form of a framework such as a 
list, design flow chart, or the like...") 

• a set of business processes describing the operations of the enterprise; (see at least 
paragraph 36: ..." Business Process-a set of steps followed to perform a business 
function...."; paragraph 55: "...Once the process is provided, any risks therein should be 
identified. Each identified risk represents a control point that should be addressed..."; 
paragraph 56: ". . .The set of tests and set of actions comprise control point information. Along 
with other pertinent information, this information is arranged in a template 26 and stored in 
database 32...") 

• at least one processing component in communication with the storage component, (see at 
least Figure 1, paragraph 47: "...The computer system 10 generally comprises memory 12, 
input/output interfaces 14, a central processing unit (CPU) 16, external devices/resources 18, 
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bus 20, and database 32. Memory 12 may comprise any known type of data storage and/or 
transmission media, including magnetic media, optical media, random access memory 
(RAM), read-only memory (ROM), a data cache, a data object, etc. Moreover, memory 12 
may reside at a single physical location, comprising one or more types of data storage, or be 
distributed across a plurality of physical systems in various forms. CPU 16 may likewise 
comprise a single processing unit, or be distributed across one or more processing units in 
one or more locations, e.g., on a client and server..." ; paragraph 49: "...Database 32 
provides storage for arranged templates 26. Information arranged in a template could include, 
inter alia: (1) a business process; (2) a set of tests designed to identify risks in the business 
process; and (3) a set of actions designed to address the identified risks. In addition, once 
stored in database 32, reviewers and/or auditors 34 could access templates 26..."; paragraph 
52: "...Computer program, software program, program, or software, in the present context 
mean any expression, in any language, code or notation, of a set of instructions intended to 
cause a system having an information processing capability to perform a particular function 
either directly or after either or both of the following: (a) conversion to another language, code 
or notation; and/or (b) reproduction in a different material form...") 

Blocher discloses all of the limitations described above; Lightle discloses the following limitations, 

• a business function compatibility registry for the enterprise; (see at least page 3, paragraph 
15: "...in an enterprise resource planning environment, tasks are linked electronically as part 
of the integration of all aspects of the organization's business information processing..."; 
page 2, paragraph 7: "...the consultants provided their own proprietary SOD analysis too..."; 
paragraph 8: "...the tool contained a matrix showing tasks that should not be 
combined. ..adding some conflicts and deleting others based on Mead's control philosophy 
and business process design...") 

• at least one processing component being configured to: 
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• receive, from an auditor, a selection of a business process from the business process library; 

• add the selected business process to the set of business processes describing the operations 
of the enterprise; and 

• add a business function included in the selected business process and its associated list of 
incompatible business functions to the business function compatibility registry. 

(see at least page 2, paragraph 8: "...the tool contained a matrix showing tasks that should not be 
combined... the internal audit staff, with the help of the consultant, customized the software's 
matrix, adding some conflicts and deleting others..."; paragraph 10: "...the internal audit team 
reviewed the list and assessed each item..."; paragraph 11: "...they continue to refine the matrix 
of SOD conflicts ...the development of the matrix of SOD conflicts is an ongoing audit 
operation...."; paragraph 12: "...as tasks evolve and employees come and go, transaction codes 
may be added and deleted, and user profiles may be created or changed, potentially introducing 
new conflicts. Mead's auditors plan to update their software periodically and reexamine different 
user groups on a rotating basis ...") 

It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher with the SOD analysis software of Lightle because the SOD matrix is an 
efficient tool for ensuring that no single individual inappropriately handles all aspects of a 
transaction or business process and for identifying of any potential conflicts. 

20. Claim 4 is rejected as being unpatentable over Blocher et al., US Patent Application No US 
2002/0194059 A1, in view of The Internal Auditor, Segregation of duties in ERP, October 2003., 
Vol. 60, Iss. 5, pg. 27, Susan S. Lightle, Cynthia Waller Valrio; herein referred to as "Lightle" in 
further view of Wefers et al., International Publication No WO 2005/055098 A2. 



21 . With respect to Claim 4, 
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Blocher and Lightle disclose all of the limitations described above, the combination of Blocher and 
Lightle does not disclose the following limitations, but Wefers however as shown discloses, 

• the at least one processing component is further configured to run a set of workflow-enabled 
applications having a set of functions adapted to implement the set of business 
processes,(see at least Figure 2, paragraph 128: "...a processor may receive instructions 
and data from a read-only memory or a random access memory or both... the processor 
system may execute instructions and one or more memory devices for storing instructions 
and data..."; paragraph 81: "...once the scope and project and the internal controls for are set 
up and/or documented for the management of internal controls, workflows may be scheduled 
and implemented for these internal controls.... users in organization may be assigned roles. 
Each role may have one or more tasks or activities associated with it.... workflows are created 
and scheduled for each user based on their roles. ..workflows that may be provided by 
methods and systems of the present invention include an assessment of control design, 
assessment of control efficiency, assessment of process design, and testing of control 
effectiveness...") 

It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher and the SOD analysis tool of Lightle with the workflows of Wefers because the 
the workflows are an efficient means for the assessment of an organization's internal controls and 
could also be used to identify remediation plans associated with the controls. 

Blocher, and Lightle disclose all of the limitations described above, Lightle further discloses, 

• such that an assignment of business functions to an employee in the set of employees 
enables the employee to access corresponding functions in the set of functions that 
implemented said business functions, (see at least page 3, paragraph 15: "...an ERP based 
system electronically segregates duties by assigning user authorizations according to the 
types of transactions each user can perform, permitting access only to the authorized 
transactions...") 
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It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher with the SOD analysis tool of Lightle because the SOD controls would prevent 
any individual user from being assigned to conflicting transactions. 

22. Claim 14 is rejected as being unpatentable over Blocher et al., US Patent Application No US 
2002/0194059 A1 , in view of The Internal Auditor, Segregation of duties in ERP, October 2003., 
Vol. 60, Iss. 5, pg. 27, Susan S. Lightle, Cynthia Waller Valrio; herein referred to as "Lightle" in 
further view of Flaxer etal., US Patent Application Publication No US 2004/0162741 A1. 

23. With respect to Claim 14, 

Blocher and Lightle disclose all of the limitations described above. The combination of Blocher 
and Lightle does not disclose the following limitations, but Flaxer however as shown discloses, 
• at least one business process in the business process library includes a parent business 
function and a child business function, (see at least paragraph 301: "...The rules engine 1920 
is both a repository of business rules and a set of programming logic that derives schemas 
and other actions based on event input, context, and the logical application of appropriate 
rules sets. Business processes can be expressed in business rules, which are statements 
that describe and control the processes, operations and strategies of how an enterprise 
conducts its business. For business integration and collaboration, business rules define the 
policies and procedures of inter and intra-enterprise interaction. In the context of business 
process template composition, business rules specify a wide range of knowledge and policy 
including, for example, those that: establish relationships and dependencies among tasks 
leading to the dynamic creation of business process templates, define service provider 
selection, enable coordination among tasks, and reference where data is located...") 

Figure 2, paragraph 82: "...evolution of distributed business processes. The underlying 
paradigm relies on dynamic composition of localized business processes into enterprise wide 
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business processes based on business rules. The invention uses a service ontology to model 
basic concepts, terminologies and functionality in different functional domains. As shown in 
the example in FIG. 1, there is a hierarchy of functional domains in the system: each non-root 
node 115 and 116 represents a functional domain while the root 110 represents the whole 
system. In each domain, there is a service ontology 120 and a set of service composition 
schemas 130 that model business processes (i.e. composite services) in the domain. It is 
noted that service ontologies 120 are used to define service composition schemas 130, 
service description, etc paragraph 83: "...the child node inherits the properties of the 
parent node...") 

• wherein the child business function inherits the list of incompatible business functions 
associated with the parent business function, (see at least paragraph 83: "...the child node 
inherits the properties of the parent node...") 
It would have been obvious to one skilled in the art at the time of the invention to combine the 
system of Blocher and the SOD analysis software of Lightle with the Product Lifecycle 
Management system of Flaxer it is an efficient tool for ensuring a complete registry of conflicting 
business processes whereby sub-functions are also included in the database. 



Response to Arguments 

24. Applicant's arguments with respect to independent claim 1 have been considered but are moot in 
view of the new ground(s) of rejection. 

25. Applicant's arguments with respect to dependent claims 3-14 have been considered but are also 
moot in view of the new ground(s) of rejection. 
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Conclusion 

26. Any inquiry of a general nature or relating to the status of this application or concerning this 
communication or earlier communications from the Examiner should be directed to Kimberly L. 
Evans whose telephone number is 571.270.3929. The Examiner can normally be reached on 
Monday-Friday, 9:30am-5:00pm. If attempts to reach the examiner by telephone are 
unsuccessful, the Examiner's supervisor, John Weiss can be reached at 571.272.6812. 

27. Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://portal.uspto.gov/external/portal/pair <http://pair-direct.uspto.gov >. Should you have 
questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866.217.9197 (toll-free). Any response to this action should be mailed to: Commissioner of 
Patents and Trademarks, P.O. Box 1450, Alexandria, VA 22313-1450 or faxed to 571-273- 
8300. Hand delivered responses should be brought to the United States Patent and Trademark 
Office Customer Service Window: Randolph Building 401 Dulany Street, Alexandria, VA 22314. 

/KIMBERLY EVANS/Examiner, Art Unit 3629 
February 2, 2009 



/John G. Weiss/ 

Supervisory Patent Examiner, Art Unit 3629 



